Suit To Let Researchers Break Website Rules Wins a Round

An anonymous reader writes: Anyone following Facebook's recent woes with Cambridge Analytica might be surprised to hear that there's a civil liberties argument for swiping data from websites, even while violating their terms of service. In fact, there's a whole world of situations where that thinking could apply: bona fide academic research. On Friday, a judge in a D.C. federal court ruled that an American Civil Liberties Union-backed case trying to guarantee researchers the ability to break sites' rules without being arrested could move forward, denying a federal motion to dismiss. "What we're talking about here is research in the public interest, finding out if there is discrimination," Esha Bhandari, an ACLU attorney representing the academics, told Axios.

You could justify

[macxcool]

just about anything if you start with 'in the public interest' and 'finding out if there is discrimination'. Also. Can people just use 'unjust discrimination' instead? Discrimination is what we do as human beings. We can't function without it. (sorry. Pet Peave).

Re:You could justify

[CrimsonAvenger]

Read summary, and this was the first thing that occurred to me.

ANYTHING can be defined as "in the public interest", if your lawyers are halfway decent. Including having the government spy on everyone, all the time.

This looks like the beginning of a very slippery slope, and we aren't going to enjoy the ride to the bottom even a little bit....

DO remember that even if you approve of this sort of thing when done to your enemies (political and otherwise), it won't be nearly so much fun when they use it against you by and by.

And they will....

Re:You could justify

[Sarten-X]

Yeah... this is a minefield.

What Cambridge Analytica did was "research". Ostensibly, their research was "in the public interest" because they thought the best thing for the public was for Trump to win the election. At the same time, yes, there are places out there doing legitimately bad things, and if their TOS is enforceable, investigative researchers won't be inclined to look into the transgression, because they might be sued or face other undue consequences.

It might be a bit more appropriate to have some kind of governmental body to do research into illegal activities (a bureau of federal investigation, if you will), and instead ensure that things like discrimination are suitably illegal. That office's investigations could be explicitly authorized to violate TOS and EULAs, through the normal warrant process.

Re:You could justify

[butchersong]

There are very few or possibly no scenarios in which I think breaking the TOS on a website should be prosecutable as a criminal offense in any case.

Re:You could justify

[mrclevesque]

"Actually Cambridge Analytica had very little if not nothing to do with Trump winning the election."

An assertion based on what?

Re:You could justify

[ravenshrike]

Well hell, the Washington Post was perfectly happy to publish a love letter to Xi over his abolishing term limits and consolidating the secretary-general and presidential posts into one so clearly they're on board.

Whether algorithms are biased? "Of course"

[Opportunist]

An algorithm cares about is nothing but whether it's profitable. Rest assured it will be biased. Why? Because of exactly that. All it takes is that some algorithm determines that $minority as a group has a higher chance of destroying something, not paying rent or generally being something you don't want as a landlord. And there you go.

This is near certain. Yes, that's unfair. Algorithms don't care about fairness, though. They "care" (strange word with computers. Or corporations for that matter...) about profit.

Just like I was really pissed when I was 23 and needed to rent a car and they only would've given me one if I paid through the nose. That's ageism! Or an algorithm telling them that young people tend to have more accidents.

Re:Whether algorithms are biased? "Of course"

[XxtraLarGe]

An algorithm cares about nothing

FTFY. Algorithms don't care about anything. They don't care about valid or invalid input. Either they will work or they won't, but they still don't care.

Re:Whether algorithms are biased? "Of course"

[Opportunist]

The algorithm does not care.

Re:Whether algorithms are biased? "Of course"

[butchersong]

Even when you control for all of that you still see disparities by race. People have this knee-jerk reaction when these topics are brought up but honestly.. if you adopt 100 chinese babys and 100 babys, isolate them from any external media influences and treat and raise them the same, does anyone really doubt that you are likely to see very distinct differences between the adult populations of both groups?

Re:Whether algorithms are biased? "Of course"

[butchersong]

Obviously I for example have some sort of genetic trait that impairs my ability to spell babies properly.

Re: Whether algorithms are biased? "Of course"

[Shotgun]

Also known as capitalism. Also known as human nature.

BTW, also notice that you did not concede that you were willing to volunteer yours. Just upset that others are not willing to volunteer theirs.

Re:Whether algorithms are biased? "Of course"

[Opportunist]

Even if fed correct data the outcome can be considered "biased" if it dares to come to the conclusion that you should not deal with $minority.

Remember, we redefined words. "Biased" no longer means "unreasonable opinion about a group". We struck the "unreasonable" from that definition.

To clarify:

This suit is over whether breaking a site's TOS consittutes a criminal offense under the CFAA, notably 18 USC 1030(a)(4-6).

There is a circuit split on this issue, which this suit attempts to clarify.

This suit does not have any impact on civil or contractual suits researches might face for breaking TOS, only whether doing so is a federal criminal offense under this specific law.

Re:To clarify:

[AmiMoJo]

Thanks, I figured it was like Iron Man or something.

Re:To clarify:

Under the CFAA, it is a criminal offense to, among other things, to gain something of value by "access(ing) a protected computer with intent to defraud," or "exceed(ing) authorized access." It is also an offense to access a "protected computer" without authorization and intentionally or unintentionally cause damage or loss, or to "traffic in any password similar information through which a computer may be accessed without authorization."

So a lot of the analysis depends on whether intentionally violating TOS 1) constitutes an intent to defraud or 2) creates an unauthorized access and 3) whether the passwords created by doing so are being used in an unauthorized manner, especially when revealed to other individuals within the research organization.

The second line of analysis is a public policy one that considers whether even if the answers to all the above questions are "yes," there is an overriding interest for the public to have access to this kind of study that allows for an exception for researchers.

Re:To clarify:

[ravenshrike]

Given that in many cases researchers pay for the type of information the lawsuit is about, they are clearly getting something of value.

Re:The absurdity of an exemption

[Opportunist]

That's what I did. Worked pretty well so far.

Re:The ends do not justify the means ...

[HornWumpus]

You don't own data about you. Too bad and all, but that's the state of affairs.

_If_ Cambridge did anything wrong, the victim was facebook. Who's valuable dataset was accessed without sufficient payment in cash and/or influence.

Re:The ends do not justify the means ...

[sycodon]

If you don't want your personal data to be grabbed, don't put it in a place that is publicly accessible...like Facebook.

It's one thing to rip off info from your account on Amazon, where you enter it merely to find and purchase products. That's is wrong.

But if you post personal info to Facebook or other social media sites and leave it marked Public, let alone take part in surveys, etc. then that data is fair game no matter what the website hosts says.

same argument used for experimentation on people?

[RhettLivingston]

Is this not the same argument used by doctors and governments throughout time for medical experimentation on prisoners and people who don't know they are being experimented on? Why would the ACLU of all organizations not see this?

Re:The ends do not justify the means ...

This isn't about 'stealing your data'.

This is about being able to create fake accounts for the purposes of researching if people react differently to a person based on information from a profile (specifically, the information which falls under 'protected status' like race).

The ACLU and research companies can't get your data unless you put it out there publicly. It's not like they are asking for permission to haxorz the facebook dbz.

If you put your data out there on the street you shouldn't go crying when someone picks it up and does something with it.

Shitty summary. Read the actual complaint

[clovis]

I don't see in the actual lawsuit anything about swiping collected data, nor is the suit suggesting accessing website data other than through the normal access a person typing at a keyboard using the site in a normal way would do. In other words, it isn't about mass data grabbing from servers behind the web site.
What the complaint is covering is very narrowly defined behavior.

Here is the actual ACLU Sandvig v. Lynch - Complaint
https://www.aclu.org/legal-doc...

It's about violating TOS access to websites that forbid using dummy accounts, bots to do testing, scraping (saving screenshots in this case), or violating TOS with non-disparagement clauses.
The complaint says that on-line access that may violate a TOS should not be covered under the CFAA, and that the penalties are far too harsh.

Here's what they're talking about: Researchers want use dummy accounts with the names of people that appear to be some minority group, so that they can see if that group is being discriminated against. As an example, AirBNB, VRBO and such like are prime examples of where that sort of discrimination is in play. Many sites require real names, and non-disparagement clauses would obviously be violated if the research turned up anything.

I especially object to non-disparagement clauses in sites that have an open interface to the public, and although I think that requiring real names is a valid stipulation to use a website, I cannot support that using an alias is a criminal act. The website has the option of cancelling your account if they don't like you much in the same way that the mall can kick you out for not wearing shoes.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

Here's what they're talking about: Researchers want use dummy accounts with the names of people that appear to be some minority group, so that they can see if that group is being discriminated against.

However, as a precedent, it would be applied much more broadly.

Automated access to the websites I run is an abuse of those sites, and such access is covered by a robots.txt rule. I don't care if an "academic researcher" thinks that making thousands of hits per hour is going to help him learn something, it's still an abuse and his desire is not an excuse.

I faced this issue back when robots were just taking over. I had a site that ran an ocean tide prediction program that I made available as part of other data for people-users. A very "kind" robot indexer came by and started making one hit per second, following the "next day" and "other sites" links and happily indexing the predicted tides. The problem was, the program took much longer than 1 second to calculate the answer. The term is "geometrical explosion", and I had to modify the code to emit a robots.txt -- it wasn't a web page in itself, it was a program running on a different port. (Because it was a different port than "80" the excuse was that it was a "different site", even though it was the same site, and the main site's robots.txt didn't apply to the happy indexer.)

The choices were not to run the site and deny everyone access to the data, or to block indexers using the standard method. Should this choice happen again today because the indexers or robots are ignoring robots.txt, the choice may not wind up the same. Putting deny clauses in firewalls is a losing game -- chasing robots that use hundreds if not thousands of addresses.

Determining if "uber" or "airbnb" are illegally discriminating is not an "academic research" problem. It is a legal problem. Don't try slipping your web scraping in under "academic research" when your goal is not.

Re:Shitty summary. Read the actual complaint

[clovis]

Yep, what you said.
If you do get a chance, read the case and just skip down to points 173-179.
To my eyes this is the most important part of the case, and it addresses a big question: Why does Facebook get to decide that using an alias on their website is a federal crime? The case also points out that the TOS can be changed at any time, so even if you read it, your initially legal conduct could be criminalized at any time while you're using the web site.

The Challenged Provision Represents an Unconstitutional Delegation of Authority to Private Parties

173. The Challenged Provision delegates to website owners the legislative
power to determine which conduct is criminal.
174. The Challenged Provision makes it a federal crime to visit a website in a
manner that “exceeds authorized access.” The private parties that draft terms of service
determine the conditions under which access is authorized; as a result, they wield the
power to define the conduct that violates the Challenged Provision, including conduct
that occurs subsequent to accessing a website or is unrelated to any legitimate access
restriction.
175. The Challenged Provision does not merely provide for the enforcement of
private contractual arrangements: It renders conduct a separate, federal crime if it violates
a website’s ToS.
176. The private processes through which terms of service are drafted and
approved are closed and nontransparent, with no requirement for public comment or
participation. Because terms of service can be and are constantly revised, members of the
public lack even the most basic notice that revisions are in progress, and have no right to
participate in defining what terms of service require.
177. The government retains no control over the lawmaking process because
terms of service prohibitions, drafted by private parties without public input, effectively
become criminal prohibitions backed by federal law. The Challenged Provision allows
private parties unilaterally and undemocratically to define the conduct that constitutes a
crime.
178. The Challenged Provision fails to notify ordinary people of what conduct
is criminal because there is no requirement that ToS be drafted with the requisite clarity
or precision required for defining conduct that is criminal.
179. For these reasons, the Challenged Provision’s delegation of the legislative
power to private parties completely removes the lawmaking function from the political
process and from the mechanisms for democratic accountability, and is unconstitutional.

Points 162-169 are also interesting.

Re:Shitty summary. Read the actual complaint

[clovis]

Basically I agree with you about abusive bots, and this case document does state that these researchers scripts are designed to mimic an actual person typing and clicking, and they claim that their automated scripts should cause no impact or minimal impact. (point 96 or so)

Excessive/abusive access (whether by bots or groups of people) does need better rules regulating it. Right now the CFAA addresses that too vaguely.
And that should not be something in a TOS for one site but not another, it should be for all sites.

As for this "Determining if "uber" or "airbnb" are illegally discriminating is not an "academic research" problem. ", you're just plain wrong there.
You're right that it is a legal problem, but studying laws and their impact on society is exactly among the things academic institutions are supposed to do.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

And that should not be something in a TOS for one site but not another, it should be for all sites.

Of course not. There may be sites that are happy to have robots come index them, and they should not be limited by laws prohibiting that. Neither should laws permit robot indexing in any blanket manner, since there are sites who have decided they do not want this.

As for this "Determining if "uber" or "airbnb" are illegally discriminating is not an "academic research" problem. ", you're just plain wrong there.

BY DEFINITION, if someone is trying to determine if an illegal activity is being performed, it is not an academic research issue. It is a legal issue.

You're right that it is a legal problem, but studying laws and their impact on society

This alleged research project is not studying "laws and their impact on society", they're looking for illegal discrimination. The assumption that justified doing that is that it has a negative impact on society. They're trying to determine if those sites are violating the law, not whether those laws are good or bad or the violations have any impact. They're using made-up names to see if the sites are making assumptions based on the names and returning different answers, assuming that any differences are because of illegal discrimination and thus bad.

Using the ubiquitous car analogy, pointing a LIDAR unit at a moving vehicle to determine if it is speeding or not is not "academic research" into the "laws and their impact on society", nor is it studying the physics of light, it is a legal determination, and thus a legal matter. Yes, you, as a private citizen, can point a LIDAR unit at anything you want because it truly has no impact on what you are measuring (unless it is a camera that is sensitive to the IR light, at which point when someone tells you to stop you should) and normally undetectable. Hammering away at a website using fake names can be detected and does have an impact on the website.

You might argue that sampling the speed of many cars is a statistical measure of whether the current laws are being obeyed and what a more appropriate speed limit might be, but sampling one car ("airbnb", e.g.) does nothing to measure that. "Are YOU violating the law" is not a research issue.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

The case also points out that the TOS can be changed at any time, so even if you read it, your initially legal conduct could be criminalized at any time while you're using the web site.

It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.

For example, if I open my door and say "party inside, y'all are welcome", then when you enter my property it is not the crime of trespassing. If I put up a sign that says "no trespassing", then your entry upon my property is a crime. Yes, truly, I have determined whether or not your presence on my property is a crime or not. Same act, two different results. I didn't have to have "public notice" or "public comment", I just unilaterally decided that I did not want you on my property. I can even make it specific, and just because you see someone else on my property doesn't mean you are welcome to join them.

In fact, I can trivially convert your non-criminal act into a criminal act by simply telling you to leave. I can change it at a moment's notice. I don't need to ask anyone else or get everyone else's opinion on it. "Leave now".

The laws about unauthorized use were not created by Facebook or any other website. That was a function of the authorized legislative bodies. Determining what is and is not authorized use is a function of the property owner. They make these kinds of decisions all the time, all around you. It's private property. You do not want government stepping in and deciding what "appropriate use" of your property is, so don't expect others to welcome such legal meddling.

Now, "we" have decided that some things require such meddling, like making sure that commercial entities do not discriminate on certain criteria, but "use a real name" or "do not scrape my data" are not amongst those. Even "you must pay me $1000 to use my website" is discriminatory, but "have money" and "don't have money" are not yet protected classes.

Re:Shitty summary. Read the actual complaint

[clovis]

It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.

It is the right of every property owner to determine if your access to their property constitutes a crime or not. This is simple common sense.

It may seem like common sense to you, but it is not true.
It is especially not true if the person is a tenant or has some previously agreed living arrangement, or if the property is otherwise open to the public.

There are many laws surrounding access to private property that is otherwise open to the public to enter, shopping malls for example.
The mall's owner's cannot arbitrarily declare that some behavior on their property is a criminal act and have you arrested for that. Suppose the mall decided to disallow wearing a name badge.
They can tell people with name badges to leave and not return, and then that person could be arrested for trespassing if they return.
But the mall cannot declare wearing a name badge to be a crime and have people arrested for name badge wearing.
And what this case is saying, Congress cannot delegate that law-making ability to the owners of malls, nor to web sites.
The Constitution's delegation of powers rule does not allow that.

Re:Shitty summary. Read the actual complaint

[ravenshrike]

Also important, by making fake accounts they make airbnb and uber less reliable since they obviously cancel any orders that do go through, which makes the users of the services trust them less. This is a material harm to the companies in question.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

It may seem like common sense to you, but it is not true.

For the most common cases, it is quite true. The examples I gave are true. Facebook is not a rental property nor is it a public space. They have the right to determine what an authorized use is. You do not want the government making that decision.

There are many laws surrounding access to private property that is otherwise open to the public to enter, shopping malls for example.

The example of trespass is quite accurate even when applied to a shopping mall. All it takes to convert your legal presence into a criminal act is for the owners to have you trespassed from the premises. They call the cops, the cops issue you a trespass notice, and the next time you show up there you can be arrested. It happens a lot. Even for a public space like a public university where the land is owned by the state -- the taxpayers. If you misbehave on a university grounds you can and likely will be trespassed, and that makes your presence there illegal.

The mall's owner's cannot arbitrarily declare that some behavior on their property is a criminal act and have you arrested for that.

That's not what's happening. They're determining appropriate use. Then the laws against inappropriate use kick in.

Suppose the mall decided to disallow wearing a name badge.

There is no law against wearing a name badge. There are laws against trespass. The mall owners determine who is trespassing and who is not; the law is there to back them up. The mall owners did not create the law, they just decide who is violating it.

And what this case is saying, Congress cannot delegate that law-making ability to the owners of malls, nor to web sites.

They aren't delegating any law-making. They have made a law regarding authorized use of private property. The owners have the right to determine what uses are authorized. In the shopping mall example, you might have seen signs that say "no car sales from this parking lot". Or no alcohol. Or many other uses that are not authorized. Break those rules and you will be trespassed, which makes your presence a violation of trespass laws. The laws were not delegated to the property owners; the right to decide authorized use is and was theirs.

Re:Shitty summary. Read the actual complaint

[clovis]

I suppose the other thing that is bothering me is that the private property that is being regulated is mine.
Going to a web site and going to a store have something different. I'm using my device at home to access the web site.
The owners of the web site are saying that they have the right to dictate how I use my keyboard and mouse at my house. Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable. How can the owners of the web site declare it to be a crime to depending upon the method I use to create the packet on my PC?
How can the owner of a web site say that I cannot take a screen shot on my own PC or photograph the screen? Copyright law can prevent me from displaying that content anywhere else or showing to other people, sure, but otherwise it's mine.

It's like the owner of the mall tries to refuse access to people who ride the bus instead of walking there.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

I suppose the other thing that is bothering me is that the private property that is being regulated is mine.

Don't be silly.

Going to a web site and going to a store have something different. I'm using my device at home to access the web site.

You are using your device to access someone elses property. The violation of authorized use is not what you are doing with your property, it is what you are doing to someone elses.

The owners of the web site are saying that they have the right to dictate how I use my keyboard and mouse at my house.

Knock it off. You know that isn't what is happening. They don't care how you use your keyboard or mouse, they are responding to your use of their property.

Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable.

That's nice but irrelevant.

How can the owners of the web site declare it to be a crime to depending upon the method I use to create the packet on my PC?

They aren't, and you know that. The fact that you are creating thousands of packets containing fake names over a few hours pretending to want to rent an apartment on airbnb and sending them to the airbnb servers is the relevant bit.

How can the owner of a web site say that I cannot take a screen shot on my own PC or photograph the screen?

My God, are you never going to stop with this nonsense? They can't. And you know they aren't trying.

It's like the owner of the mall tries to refuse access to people who ride the bus instead of walking there.

No. It has nothing to do with how you get there, only with what you do when you do. It doesn't matter if you take a bus or walk to the mall if you set up a booth trying to sell gizmos without permission and get trespassed. Nobody cares how you got there. The issue is that you are not authorized to use the mall property for that activity.

And like I told you already, the mall owner is the one who gets to decide what you are authorized and not authorized to do.

Re:Shitty summary. Read the actual complaint

[Obfuscant]

since they obviously cancel any orders that do go through, which makes the users of the services trust them less.

Not only that, but during the time that the property is rented it is not available to rent to someone who is actually seeking a place to stay. Further, if there are credit charges for deposits that need to be refunded, the company loses any transaction fees. These are even more direct material harm to the companies.

If the company tracks interest in a property and bases its rental rates on that interest, then fake rentals may appear to be fake demand, with an associated increase in the rental rate -- which will drive real customers away, or have them paying artificially inflated rates. These are material harm to both the company and the consumer.

Re:Shitty summary. Read the actual complaint

[clovis]

Whether I two-finger type in my userid "clovis" or use a vbscript sendkey to send the same string, the http/TCP/IP packet that arrives at the web site is indistinguishable.

That's nice but irrelevant.

How can the owner of a web site say that I cannot take a screen shot on my own PC or photograph the screen?

My God, are you never going to stop with this nonsense? They can't. And you know they aren't trying.

I'm not inventing these things. They are discussed in the complaint. You clearly have not read it.

The fact that you are creating thousands of packets containing fake names over a few hours pretending to want to rent an apartment on airbnb and sending them to the airbnb servers is the relevant bit.

Where did you get the idea that the researchers are creating thousands of packets containing fake names over a few hours?
Did you make that up, or do you have a source?

Re:Shitty summary. Read the actual complaint

[clovis]

BTW, good talk ... see you around.

Re:The ends do not justify the means ...

[Khashishi]

You can avoid social media if you want--it won't stop the companies from harvesting and selling your data. If you vote, pay taxes, own property, have a bank account, use a phone, you'll be tracked anyways. And if you have friends (or enemies), nothing stops them from posting your info.

Re:Cambridge Analytica started off as 'research'

[parkinglot777]

TFA notes this as well. This is an area where I say the ACLU is wrong, if their cause has a good case then they can make an arrangement with the service provider rather they flaunt a right to 'break the rules'.

You should read the news from the original ACLU one. Slashdot shouldn't use the current link to a blogger anyway...

Re:same argument used for experimentation on peopl

[greenwow]

Because the intent is different. The intent here is social justice so the law shouldn't be allowed to be used against that.

Re:The ends do not justify the means ...

You don't own data about you. Too bad and all, but that's the state of affairs.

Fine .. then every single purveyor of data, their family, their children, their grandchildren, and friends ... should be entirely and thoroughly doxxed. Throw in any lawmaker who has ever voted against data privacy, and their families as well.

Let's level that fucking playing field, and stop pretending that rich assholes like Zuckerfuck get privacy and we don't.

Let's take this shit to its logical conclusion, and go scorched earth on the people who want to sell our data ... and then let's see what side of privacy they come down on.

Because these lying sacks of shit will all claim that is different. Fuck 'em all.

Re:The ends do not justify the means ...

[sycodon]

vote, pay taxes, own property,

Public Data

bank account

Private. Penalties should exist.

use a phone

Hmm...mixed. Public airwaves. Almost like a CB Radio.

Deliberate legislation required if it doesn't already exist.

The summary is terrible

The summary is terrible, the short version of the argument is that private companies shouldn't be able to write overbearing ToS and turn violations into a federal felony under the CFAA. The only thing it does is to make it so private companies can't attack people with felonies over some stupid ToS on their website. They could still go after you at the civil (but not criminal) level for damages related to any breach of your agreements, the main difference is that they can't get you thrown into jail for violating some nonsense they wrote on their web page this way.

If you want to defend privacy, it's better to get actual privacy laws so that the hundred thousand other companies who misused the Facebook friends API to suck in your social graph can't misuse it. Yes, I realize the only thing that CA did wrong was to break Facebook's ToS, but making that into a federal felony is a bad idea because a ton of you have likely broken their ToS in some trivial way don't belong in prison. I mean, they're especially after disparagement clauses. Would you like for everyone with a Facebook account to be forced, under pain of federal felony charges, to not be able to say bad things about Facebook any more?

Because that's the kind of crap you're asking for if you defend this use of the CFAA.

Aaron Swartz but we need an PD willing so stand up

[Joe_Dragon]

Aaron Swartz but we need an PD willing so stand up to long case with EULAs as the contracts and no 100K+ bails